Remix.run Logo
insanitybit 2 hours ago

What a state of things where we have to fear installing software, and rely on vendors to scan things ahead of time, because our supply chain is such a mess and our tooling is so incapable of (and uninterested in) protecting us.

Insimwytim 2 hours ago | parent | next [-]

You cannot call it a supply chain, if you have zero contractual relationships with the authors of the solutions you are using.

[1] https://news.ycombinator.com/item?id=44434355

stingraycharles 2 hours ago | parent | next [-]

I mean, that’s just arguing over whether or not the definition of “supply” implies “compensation”, which isn’t very interesting imho.

The grandparent’s point remains the same, the software ecosystem and its supply chain or however you want to call it is a hot mess.

xgulfie 2 hours ago | parent [-]

Traditionally the term "supply chain" has implied a buyer/seller relationship

stingraycharles an hour ago | parent [-]

I think that’s up to debate, and my point is that debating whether free software counts as “supply” or not is really not that interesting.

cryo32 2 hours ago | parent | prev [-]

Oh that one really makes you think doesn’t it.

madeofpalk 2 hours ago | parent | prev | next [-]

What would a solution to this look like?

What would it take to not fear installing software? This isn't a npm problem, its a computing problem in general. Spaces like this are generally pretty against any sort of restrictions or limitations being put on computers under the name of safety (see Manifest v3)

dwoldrich an hour ago | parent | next [-]

For libraries, I like the Gnu Affero Public License[1]. If you run the library in software with that license, you have to publish all the source of the entire project that incorporates it.

No corporation could tolerate this, though, so the library vendor can negotiate a commercial license of their software for appropriate fees.

That said, corporations are not going to want to negotiate fees with 100's of vendors over constantly fluctuating dependencies in their software.

This is why the next big language/software ecosystem needs to integrate payments to vendors in their repository system. That way, commercial license management can occur between the ecosystem owners and the corporate customers and all the vendors get paid their fair share.

Similar to Amazon's Dynamo API, whatever the next big language/ecosystem is needs to be designed around _billing_ and automatic license management for # of deployments, seats, call volumes, etc.

[1] https://web.archive.org/web/20260712154038/https://www.gnu.o...

jchw 2 hours ago | parent | prev [-]

Manifest v3's actual motive was so shamelessly transparent that most of us just don't allow the "safety" argument for it to really be entertained. I don't have a suspension of disbelief rich enough to pretend I don't know.

sunaookami 2 hours ago | parent | prev [-]

No way to prevent this says only package manager where this regularly happens.